Panayam kay National Privacy Commission Compliance and Monitoring Division Chief Atty. Rainier Anthony Millanes
Category
🗞
NewsTranscript
00:00Updates on Jollibee Data Breach, we will discuss with Atty. Rainier Anthony Millanes,
00:07the Chief of the Compliance and Monitoring Division of the National Privacy Commission.
00:12Atty. Millanes, good afternoon and welcome to Bagong Pilipinas.
00:18Good afternoon, Director Sheryl and Ma'am Nina.
00:22Thank you very much for the invitation and the opportunity to explain what Jollibee Data Breach is.
00:30First of all, sir, what is the update on the reported data breach or unauthorized access of Jollibee data?
00:40In our investigation, we found that this is connected to the possibility of connection with
00:50many extortion activities that are happening around the world.
00:56Specifically this, this June, we found that around 165 companies around the world are being attacked
01:09by their data lake or their data repository of personal and sensitive personal information of their clients or customers when it comes to Jollibee Group.
01:29As reported, this is affecting around 11 million customers, Director Sheryl and Ma'am Nina.
01:37Customers of Jollibee, Chowking, Greenwich, Red Ribbon, Mang Inesal, Burger King, Yoshinoya and Panda Express.
01:46We are currently looking into this and there is an initial investigation by Jollibee Foods Corporation.
01:55Their initial investigation here is about the unauthorized access to their cloud computing service, which is their data repository,
02:08what we call now technical.
02:10In the technical terminology, data lake, unauthorized access to the data lake, which involves this sensitive personal information,
02:21specifically the date of birth of 11 million customers and also the senior citizen ID numbers of their senior citizen customers.
02:34This is the latest update.
02:37This could be connected to a string of extortion activities.
02:43This is the demand for money in exchange for data or ransomware extortion activities that are happening around the world.
02:51Not only Jollibee was affected, but many companies around the world were also affected by this kind of attack.
03:01So you're saying that this happened in Jollibee is connected to what happened in other countries?
03:07There's a big possibility, ma'am.
03:10We can see that they are using the same cloud computing service or cloud database.
03:22We can see that they are using the same provider.
03:25This specific provider of Jollibee is also involved in string of data breach around the world.
03:35That's what we're looking at.
03:37There's a big possibility that Jollibee is also one of the customers of this cloud computing service that we saw that has a problem with their security.
03:49Sir, just to be clear, based on your investigation,
03:53were they able to get more on the customer's data or were they able to get confidential information from the company?
04:03Ma'am, this is a good opportunity to clarify.
04:06Ma'am Rapati, I will just explain what is a data lake.
04:10When we call it data lake, it is used to store information.
04:14All information about Jollibee, personal data or other data that might be stored,
04:22we deposit it or we imback it in that data lake or data repository.
04:29It can be compromised.
04:31Jollibee is still aware of the extent and they asked us,
04:37it is allowed in the rules of procedure of the NPC,
04:41they asked us for 20 days starting Saturday, last Saturday,
04:46additional 20 days for them to be able to personally identify and notify affected data subjects
04:55and also for them to conduct their internal investigation on the matter.
05:00What I can say for now, it is possible because when we say data lake,
05:06it is a collection of structured or unstructured data.
05:11So it is possible that it is not just personal data,
05:14but also the data of Jollibee employees,
05:17including the data of Jollibee that they use in their operations,
05:22including Director Sheryl.
05:25Okay.
05:26And as a warning to our countrymen,
05:29what should we monitor after this incident?
05:36That's right, Ma'am Nina.
05:38We need to monitor because there is a possibility that the data obtained here
05:44can be used by bad people or what we call cybercriminals
05:48in their collaboration, especially what we call identity theft or identity fraud.
05:56But most probably, this information will be used for the proliferation or increase of scam techs,
06:05scam phishing links.
06:06So the Filipino people, including the new Filipinas,
06:11should be smart, smart and knowledgable.
06:16We should inform the authorities if we are experiencing or receiving these so-called phishing emails or scam texts.
06:25This is the way to compromise our personal data.
06:32And also, it's important for those who will be determined by Jollibee,
06:38they will give you a notification.
06:41It's their obligation to notify the data subjects affected by their personal data breach,
06:48their customers, the 11 million.
06:50They need to notify this individually.
06:53So if you are notified, it's also the obligation of Jollibee
06:56to provide assistance in protecting your data.
07:03So you should demand this from Jollibee.
07:06As long as you are a victim or your information is included,
07:09it's the obligation of Jollibee to help you protect your data,
07:14especially to provide you with stronger passwords,
07:20and to enable multi-factor authentication.
07:24Those are the industry standards for now.
07:28Atty., do we already have a lead on who did this?
07:33And is it also possible that this is an inside job situation?
07:38We are not ruling out, Director Sheryl, the inside job.
07:44We are continuing to evaluate this.
07:47In parallel, in our Compliance and Monitoring Division,
07:51we are evaluating data breach submissions.
07:54But in parallel, what the Commission is also doing,
07:57we have a Complaints and Investigation Division.
08:00So in parallel, they are the ones who are investigating
08:03on who did this.
08:06Other law enforcement agencies in the Philippines,
08:11PNP, Cybercrime, NBI, they are also with us
08:15to find out who did this data breach,
08:23the one hiding behind the name Spider.
08:26What is Spider?
08:29Yes, that was released on a well-known dark website.
08:38The person who released this data breach,
08:42his handle name is Spider.
08:45Okay.
08:46So we are continuing to find out where he is,
08:50who is this person, this cybercriminal, ma'am Nina.
08:57Is he in the Philippines or in another country?
09:01Possibly.
09:02Since this is an international group,
09:06so possibly because the string of hacking that happened
09:09is involving not only Philippine companies.
09:12The only one identified in the Philippines is Jollibee.
09:16But in the United States,
09:18they identified 50 companies in the United States.
09:21So this could be an international group
09:25that is attacking in a similar way.
09:29So that is what we are investigating
09:32to find out who is responsible
09:37and where did this unauthorized access happen
09:42leading to a personal data breach.
09:45For other companies, sir,
09:48what should they do now
09:50so that their system will not be hacked?
09:53Just like what happened here in Jollibee.
09:57So for us in the Philippines,
10:00we are very much reactive of these things.
10:04Best way, especially for the companies,
10:07you know that the National Privacy Commission is here
10:10to ensure that we have this compliance check mechanism
10:14and when we go through you,
10:16you will definitely pay administrative fines
10:19if you don't implement the proper security measures
10:22or the organizational technical and physical security measures
10:26for data protection.
10:27That is what we are ensuring.
10:29And I am advising all companies
10:32that have big data processing like Jollibee
10:35to beef up, to improve on your cyber security.
10:40Let's not let you be a victim of this.
10:46This will definitely cause damage
10:48to the reputation of your organization, among others.
10:51So it's better to be proactive
10:54and let's not be reactive.
10:56If we will be hit,
10:58let's just find a way to protect the data.
11:02Because it is our obligation
11:04and that is what we are ensuring,
11:05that we are doing our obligation
11:07to the Filipino people
11:09that when we process their data,
11:11we will also protect it.
11:15Okay, sir.
11:16Just send a message to our countrymen.
11:19There you go, Director Sheryl.
11:21To our countrymen,
11:23we call them data subjects like me.
11:26All of us are data subjects.
11:29So my message is
11:31let's be observant,
11:33let's be alert and let's be smart.
11:35We only trust,
11:37let's just trust
11:41the establishments and organizations
11:44that are processing data
11:46that comply with the Data Privacy Act of 2012
11:50and the laws in the Philippines
11:52as legitimate organizations
11:55processing personal and sensitive personal information.
11:58So for us,
12:00we always change our password
12:05but it's better
12:07to enable in all our accounts
12:10the multi-factor or multi-factor authentication
12:13that we call it.
12:14Because what I can say about password protection
12:18which is single-factor authentication,
12:20it is already almost two decades obsolete.
12:23So if there is a possibility
12:26that we enable our multi-factor authentication,
12:29we will enable it
12:31for the added protection
12:33and protection of our accounts
12:35where our personal data is stored.
12:39Okay, thank you very much for your time,
12:41Atty. Rainier Anthony Millanes.
12:43The Head of the Compliance and Monitoring Division
12:46of the National Privacy Commission.
12:50Thank you very much for the opportunity
12:52Director Sheryl and Ma'am Nina.
12:55Bagong Pilipinas Ngayon, Salamat.
12:57Salamat.